# 用友NC BeanShell远程代码执行漏洞复现 CNVD_2021_30167

require "open-uri"  

class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::HttpClient
   
    def initialize
      super(
        'Name'           => 'CNVD_2021_30167_PoC',
        'Description'    => 'This module is used to scan the target site for CNVD_2021_30167',
        'Author'         => 'Mount',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies','RPORT')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST.Need not to set', '192.168.1.1']),
          OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
        ]) 
    
    end

    def run_host(ip)
  
      uri = datastore['TARGETURI']+'/servlet/~ic/bsh.servlet.BshServlet'  
      begin  
        html_response = nil  
        open(uri) do |http|  
        html_response = http.read  
        end
      rescue => ex
        if ex.message['404']
          print_good('The CNVD_2021_30167 vulnerability was not detected at the target site.')
        else
          print_error('Some errors occurred...')
          print_error(ex.message)
        end
        return
      end   
      
      #  puts html_response
      if html_response['BeanShell']
        print_warning('The CNVD_2021_30167 vulnerability exists at the target site!')
      else
        print_good('The CNVD_2021_30167 vulnerability was not detected at the target site.')
      end
        

    end
end